Troy Owen never thought he’d see the day when the cyber thieves who robbed his company of $800,000 would ever be charged with any crime. Owen said investigators had warned him early on that the perpetrators were mostly overseas in places like Ukraine and Moldova, and that it might be tough to pursue those responsible.
But earlier today, authorities in New York announced they had charged more than 60 individuals — and arrested 20 — in connection with international cyber heists perpetrated against dozens of companies in the United States, including Owen’s.
In November 2009, cyber crooks used a sophisticated password stealing Trojan horse program called “ZeuS” to hack into computers at Owen’s firm — Plano, Texas-based Hillary Machinery. The program swiped the company’s online banking passwords, allowing the attackers to initiate more than $800,000 in bogus transfers out of the company’s online account to dozens of people in the United States who helped launder the money and send it to the attackers in Eastern Europe.
More than $14,100 of Hillary’s money was wired to Stanislav Rastorgeuv, a 22-year-old Russian national who entered the United States in June 2009 on a “J1” student visa. According to charging documents, Rastorgeuv was the poster child for money launderers looking to recruit new mules to help retrieve the proceeds of ZeuS Trojan virus attacks.
Authorities say almost all of those arrested or charged in this case are young Eastern Europe men and women who were either planning to travel to, or were already present in, the United States on J1 student visas. Once the students were in the United States, the organizers of the mule organization gave the recruits fake foreign passports to open accounts at local banks.
Then, days or weeks after those accounts were opened, other actors in the group would transfer money from cybercrime victims into the mule accounts, typically in amounts close to $10,000. Once the transfers were complete, the mules would quickly withdraw the money, keep a portion for themselves (usually 8 to 10 percent) and transfer the remaining amount to other participants in the fraud scheme, usually individuals overseas.
Some mules were asked to open a large number of bank accounts to help launder stolen funds. Charging documents say Rastogeuv opened up multiple bank accounts under his own name and using fake passports for fictitious individuals, including the names “Petr Rubsashkin” and “Alexey Iankov.” In addition to the unauthorized transfer sent to him by Hillary Machinery, Rastogeuv allegedly helped to launder nearly $30,000 from other victim companies over the next two months.
U.S. authorities say the ringleader of the New York-based money mule gang was Artem “Artur” Tsygankov, a Russian citizen living in New York who allegedly recruited Rastogeuv and other mules, supplied them with fake identity documents, and managed their daily activities. In all, the New York gang cleared more than $3 million from victim corporations using hundreds of accounts opened under false identities.
Others are charged with hacking into and siphoning funds from online brokerage accounts. Jamal Beyrouti, 53, Lorenzo Babbo, 20, and 29-year-old Vincenzo Vitello worked with hackers who infiltrated trading accounts at E-Trade and TD Ameritrade, executing fraudulent sales of securities and transferring the proceeds to accounts the mules controlled. At the same time, the attackers blasted victims’ phones with a barrage of calls to prevent the brokerage firms from contacting them to confirm the legitimacy of the transactions. The scam allowed mules to transfer roughly $1.2 million from hacked brokerage accounts.
Today’s announcement is the culmination of a year-long investigation by the U.S. Attorney’s Office for the Southern District of New York, the FBI, the NYPD, the Department of State Diplomatic Security Service, the New York Office of Homeland Security Investigation, and the U.S. Secret Service.
The law enforcement sweep announced today also coincides with a related action in the United Kingdom, where police this week charged 11 men and women from Belarus, Estonia, Latvia, and Ukraine with facilitating money mule operations in the U.K. The e-Crimes Unit of the U.K. Metropolitan Police said gang members arrested there are believed to have stolen more than $30 million from banks and businesses worldwide, and roughly £6 million (US $9.5 million) from financial institutions in the United Kingdom during a three-month period.
“As today’s arrests show, the modern, high-tech bank heist does not require a gun, a mask, a note, or a getaway car. It requires only the Internet and ingenuity,” Manhattan U.S. Attorney Preet Bharara said in a written statement. “And it can be accomplished in the blink of an eye, with just a click of the mouse. But today’s coordinated operation demonstrates that these 21st Century bank robbers are not completely anonymous; they are not invulnerable. Working with our colleagues here and abroad, we will continue to attack this threat, and bring cyber criminals to justice.”
Hillary Machinery’s Owen said he’s pleased about the news, but he isn’t breaking out the bubbly just yet: While Stanislav Rastorgeuv is charged with conspiracy to commit bank fraud and the false use of a passport and faces 40 years in prison and more than $1 million in fines, he is among 17 individuals charged today that authorities say are still at large.
“This is still excellent news, even if they haven’t caught everyone involved,” Owen said. “I had already pretty much given up hope that they’d be able to find these guys. I’m just glad they’re finally starting to bring some of these people to justice.”
If Owen is jaded, it may have something to do with the legal nightmare he and his company had to endure after the theft. A month following the cyber heist, the firm’s bank – Plains Capital Bank – sued Hillary Machinery in a preemptive bid to convince a judge to declare that the bank’s online security was commercially reasonable and capable of protecting customers from the latest cyber threats.
Both parties later settled the dispute for an undisclosed amount. But there are many similar cases now working their way through U.S. courts, as more and more businesses and banks tussle over who is responsible for cyber heists that frequently net thieves hundreds of thousands of dollars.
More often than not, victimized businesses are left holding the bag. That’s because unlike consumers – who under U.S. law cannot be held liable for fraud against their accounts if they report the unauthorized activity promptly – businesses enjoy no such protections.
Owens said he’s not waiting around for the banks to get their acts together: His company now only conducts online banking from a dedicated computer that is only used to access the company’s bank accounts online.
“Even if they do manage to catch all of these crooks, I wonder how many people are waiting in line to take their place,” Owen mused. “I still think wholeheartedly that the best approach is to have good, preventative security in place.”
Update, Oct. 5, 12:40 a.m.: The FBI’s Wanted page now indicates Rastorguev has surrendered.